This will be a post in three, well, probably three, parts, which I will probably post to Medium once done as a single thread. The eventual idea is to give a more complete picture of what I am trying to do -- and what I mean by networked inference. For now I want to proof a concept and get some of you along for the ride. Don't think of yourselves as bookish researchers, think CSI-Woke.
When someone says a file or ‘page’ is on “the Internet,” they’re saying it’s on someone else’s computer where it can be accessed from another. The computers themselves must communicate according to a sort of heuristic, and “Google hacking” for research is really about understanding that vocabulary as well as that of the subject matter, how to find the lowest common denominator to make your task as fruitful and *automated* as possible.
For this post I’m trying a cold search, “live,” if you will, in that I am typing these words and have only now conducted some preliminary information gathering (which I, I have to admit, absolutely delight at calling passive reconnaissance).
A few years ago I was searching for info about Automatic License Plate Readers, ALPR, Googling by manufacturer “Genetec.” I found a “Read Me” file from an FTP server, that it turned out was a live ALPR server for the City of Boston, with classified watchlists including thousands on a “Gang/Terror” watch.
At the time I was just searching Google, but once I found something interesting I used a variety of other tools to remotely scan the server and its directories to see what I could learn.
I found out recently that you could search Shodan, the Search Engine for the Internet of Things, for text in the “html” field. Shodan indexes, among other data about the physical architecture of the Web, headers which provide response codes (like 100, 200, “404 Error,” etc), and often descriptive information about the function of the computer (or machine, or site, for the purposes of Shodan’s heuristic, host).
In Boston I located a Genetec AutoVu server. I searched Shodan for html:”autovu”
This brings back four results, once filtered to just the US (probably two ALPR systems, 3 IP addresses, one is repeated in the results).
Even if this is the most we can see for ourselves of the ALPR system on these hosts, we can already learn quite a lot. I’ll wrap this post up by quickly breaking down some clues sitting in the open.
Three results have the title: LPRaaS - experience allows me to infer that this is probably a combination of “License Plate Reader” and “Software As A Service,” SaaS, LPRaaS, “License Plate Reader as a Service. This jives with more from the Shodan results. All hosts are on Microsoft Azure cloud. One host, 23.101.179.17, is in Dallas, according to the Shodan map, and two hosts are in “United States, Boydton” 40.76.94.185, and 23.96.96.47.
The second is particularly interesting. The page title is Login - AutoVu Occupancy Study
What we have in this case appears to be a field test for an occupancy-detection/plate-reader hybrid solution, located in Boydton, in Virginia, all the way down on the North Carolina border -- where would you look at that there's a Microsoft Data Center.
Next we’ll look at the port numbers and sources of useful info in the metadata, expand our investigation to some other tools, there are some mysteries it will be fun to suss out.
We can go ahead and visit the hosts in our browsers, as all have open HTTPS ports (443). Bingo. We've got a varmint.
When someone says a file or ‘page’ is on “the Internet,” they’re saying it’s on someone else’s computer where it can be accessed from another. The computers themselves must communicate according to a sort of heuristic, and “Google hacking” for research is really about understanding that vocabulary as well as that of the subject matter, how to find the lowest common denominator to make your task as fruitful and *automated* as possible.
For this post I’m trying a cold search, “live,” if you will, in that I am typing these words and have only now conducted some preliminary information gathering (which I, I have to admit, absolutely delight at calling passive reconnaissance).
A few years ago I was searching for info about Automatic License Plate Readers, ALPR, Googling by manufacturer “Genetec.” I found a “Read Me” file from an FTP server, that it turned out was a live ALPR server for the City of Boston, with classified watchlists including thousands on a “Gang/Terror” watch.
I found out recently that you could search Shodan, the Search Engine for the Internet of Things, for text in the “html” field. Shodan indexes, among other data about the physical architecture of the Web, headers which provide response codes (like 100, 200, “404 Error,” etc), and often descriptive information about the function of the computer (or machine, or site, for the purposes of Shodan’s heuristic, host).
In Boston I located a Genetec AutoVu server. I searched Shodan for html:”autovu”
This brings back four results, once filtered to just the US (probably two ALPR systems, 3 IP addresses, one is repeated in the results).
Three results have the title: LPRaaS - experience allows me to infer that this is probably a combination of “License Plate Reader” and “Software As A Service,” SaaS, LPRaaS, “License Plate Reader as a Service. This jives with more from the Shodan results. All hosts are on Microsoft Azure cloud. One host, 23.101.179.17, is in Dallas, according to the Shodan map, and two hosts are in “United States, Boydton” 40.76.94.185, and 23.96.96.47.
The second is particularly interesting. The page title is Login - AutoVu Occupancy Study
What we have in this case appears to be a field test for an occupancy-detection/plate-reader hybrid solution, located in Boydton, in Virginia, all the way down on the North Carolina border -- where would you look at that there's a Microsoft Data Center.
I know off the top of my head that Massachusetts state was working with Xerox on such a system on state roads, which in addition to scanning and archiving plate numbers of passing cars used a computer vision algorithm to determine how many people are in the car (or perhaps whether the car has only one or more than occupant -- this type of system is frequently deployed for monitoring occupancy-restricted lanes -- “carpool lanes.”)
Next we’ll look at the port numbers and sources of useful info in the metadata, expand our investigation to some other tools, there are some mysteries it will be fun to suss out.
We can go ahead and visit the hosts in our browsers, as all have open HTTPS ports (443). Bingo. We've got a varmint.
Comments
Post a Comment